Malicious Modules Found in Python Repository

Slovakia's National Security Authority is warning that the Python Package Index (PyPI) has been serving malicious code packages. Since June, the official Python repository has included modified code packages with names very similar to the standard code packages. The modified code packages have slightly different installation scripts which contain "malicious (but relatively benign) code."

"Such packages may have been downloaded by unwitting developer[s] or administrator[s] by various means, including the popular 'pip' utility (pip install urllib)," The Slovak authorities warned. "There is evidence that the fake packages have indeed been downloaded and incorporated into software multiple times between June 2017 and September 2017."

In response, PyPI has issued a statement which says, in part, "Since the publishing of the announcement we've received many suggestions for how to prevent this sort of attack in the future. We're considering all of the options and nothing is off the table, but we caution that any solution will take time to implement." The statement also noted that PyPI is run by volunteers and does not have any full-time staff.

Enterprise Development Update

Don't miss an article. Subscribe to our newsletter below.

By submitting your information, you agree that developer.com may send you developer offers via email, phone and text message, as well as email offers about other products and services that developer believes may be of interest to you. developer will process your information in accordance with the Quinstreet Privacy Policy.